This reworks the parser such that COM_CHANGE_USER switches the
connection back into the CONNECTION_PHASE so that we can remove the
EXPECT_AUTH_SWITCH special case in the COMMAND_PHASE. Adds two pcaps
produced with Python that actually do COM_CHANGE_USER as it seems
not possible from the MySQL CLI.
Now that we use CONNECTION_PHASE and interpret AuthSwitchRequest
correctly, we can remove reliance on the plugin discrepancy to
determine expectations.
Remove caching_sha2_password parsing/state from the analyzer and implement
the generic events. If we actually want to peak into the authentication
mechanism, we could write a separate analyzer for it. For now, treat it
as opaque values that are exposed to script land.
The added tests show the --get-server-public-key in use where
mysql_auth_more_data contains an RSA public key.
This instantiates the SSL analyzer when the client requests SSL
so that Zeek now has a bit more visibility into encrypted MySQL
connections.
The pattern used is the same as in the IMAP, POP or XMPP analyzer.
We were parsing MySQL using bigendian even though the protocol is
specified as with "least significant byte first" [1]. This is most
problematic when parsing length encoded strings with 2 byte length
fields...
Further, I think, the EOF_Packet parsing was borked, either due to
testing the CLIENT_DEPRECATE_EOF with the wrong endianness, or due to
the workaround in Resultset processing raising mysql_ok(). Introduce a
new mysql_eof() that triggers for EOF_Packet's and remove the fake
mysql_ok() Resultset invocation to fix. Adapt the mysql script and tests
to account for the new event.
This is a quite backwards incompatible change on the event level, but
due to being quite buggy in general, doubt this matters to many.
I think there is more buried, but this fixes the violation of the simple
"SHOW ENGINE INNODB STATUS" and the existing tests continue to
succeed...
[1] https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_basic_dt_integers.html
Added a comment to clarify comparison of EOF packet length to 13.
* origin/topic/vladg/gh-843:
Update baselines
Made additional MySQL fixes.
Add support to MySQL for deprecation of EOF packets.
Whitespace cleanup & fixes
Fix EOF detection in the MySQL protocol analyzer.
1) There are a couple more places where the new protocol uses and OK
packet instead of the deprecated EOF.
2) With > 255 results, we could end up in an situation where the uint8
sequence number would wrap, and we'd naively think it'd be a new
handshake.
Now, we track the previous sequence number, and assume overflow if it
was 255 previously and 0 now.
We also reset the previous sequence number to 0 in various packets
that we'd expect at the end of other commands.
From the docs: "As of MySQL 5.7.5, OK packes are also used to indicate
EOF, and EOF packets are deprecated."
The client sets a capability flag (CLIENT_DEPRECATE_EOF) to indicate
that it expects an OK instead of an EOF after the resultset rows.
The MySQL
documentation (https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_basic_eof_packet.html)
warns us that "You must check whether the packet length is less than 9
to make sure that it is a EOF_Packet packet."
While we were doing this in two places, we were comparing the total
packet length, which includes the 4-byte header. Changed to compare to
13 instead.
* MySQL: the parser for this was generally broken (not following
the specification well) and needed many changes. One addition is a
new "mysql_result_row" event that provides access to the results of
queries.
* SMB: the spec seems to explitly call out the omission of the
PrimaryDomain field on SMB_COM_SESSION_SETUP_ANDX responses (and I
don't see that field in pcaps either), so this may have just been a
typo that used to work fine in the past only due to faulty array
parsing behavior in binpac.
* origin/topic/vladg/mysql:
Update baselines.
Fix a logic bug with handling quits after the cleanup.
Integrate MySQL with the software framework
A bit of MySQL cleanup - removed unused events, consolidated similar events, fixed up main.bro a bit
Move MySQL analyzer to the new plugin architecture.
Add a btest for the Wireshark sample MySQL PCAP
Add support for more commands, and support quit
Redo the response handling..
Whitespace/readability fixes.
Add memleak and auth btests.
Update baselines.
Get MySQL to compile and add basic v9 support.
MySQL analyzer
